Prevent heap overflow in uvc driver The size of uvc_control_mapping is user controlled leading to a potential heap overflow in the uvc driver. This adds a check to verify the user provided size fits within the bounds of the defined buffer size. Bug: 33300353 Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by: Robb Glasser <rglasser@google.com> Reviewed-on: https://android.intel.com/577969 Reviewed-by: Louis, FabienX <fabienx.louis@intel.com> Tested-by: Louis, FabienX <fabienx.louis@intel.com> Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com> Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>

commit: adeb10d71234fbd160dfb53cc00fdc43f6464358 [log] [tgz]
author: Robb Glasser <rglasser@google.com> Wed Apr 12 14:41:58 2017 +0200
committer: jenkins_ndg <jenkins_ndg@intel.com> Tue May 02 01:40:37 2017 -0700
tree: 8f11d4d152a31be247e8a6cd13d265691059f3d5
parent: ab405c69e9deb7761205b66e9db4ae8768412c69 [diff]
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index a2f4501..f61d1d7 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c

@@ -1939,6 +1939,9 @@
 	if (!found)
 		return -ENOENT;
 
+	if (ctrl->info.size < mapping->size)
+		return -EINVAL;
+
 	if (mutex_lock_interruptible(&chain->ctrl_mutex))
 		return -ERESTARTSYS;
commit	adeb10d71234fbd160dfb53cc00fdc43f6464358	[log] [tgz]
author	Robb Glasser <rglasser@google.com>	Wed Apr 12 14:41:58 2017 +0200
committer	jenkins_ndg <jenkins_ndg@intel.com>	Tue May 02 01:40:37 2017 -0700
tree	8f11d4d152a31be247e8a6cd13d265691059f3d5
parent	ab405c69e9deb7761205b66e9db4ae8768412c69 [diff]